Remove options for searching for "Artist requested removal" and
"duplicate" flag reasons. These were legacy flag reasons that haven't
been used for a long time.
Remove the creator_id field from artists, notes, and pools. The
creator_id wasn't otherwise used and was inconsistent with the
artist/note/pool history in some cases, especially for old artists.
* Don't show who disapproved the post to other users. Only show the
creator to mods or to the disapprover themselves.
* Let unprivileged users see the /post_disapprovals index.
Remove the post update count estimate from BUR show pages. This was
complex, slow, and usually inaccurate since it assumed that requests in
a BUR had no overlap with each other, which usually wasn't the case.
Format scripts on the BUR index page as dtext, the same way they're
formatted in forum posts. This means that tags have colors and underlines,
but they don't have post counts. Gathering post counts was too slow.
Refactor to use accepts_nested_attributes_for instead of the notes
attribute to facilitate editing wikis on the artist edit page.
This fixes the notes attribute unintentionally showing up in the API.
This also changes it so that renaming an artist entry doesn't
automatically rename the corresponding wiki page. This had bad behavior
when there was a conflict between wiki pages (the wikis would be
silently merged, which usually isn't what you want). It also didn't warn
about wiki links being broken by renames.
* Replace the .category-N CSS classes on tags with .tag-type-N. Before
we were inconsistent about whether tag colors were indicated with
.category-N or .tag-type-N. Now it's always .tag-type-N.
* Fix various places to not use Tag.category_for. Tag.category_for does
one Redis call per tag lookup, which leads to N Redis calls on many
pages. This was inefficient because usually we either already had the
tags from the database, or we could fetch them easily.
- The only string works much the same as before with its comma separation
-- Nested includes are indicated with square brackets "[ ]"
-- The nested include is the value immediately preceding the square brackets
-- The only string is the comma separated string inside those brackets
- Default includes are split between format types when necessary
-- This prevents unnecessary includes from being added on page load
- Available includes are those items which are allowed to be accessible to the user
-- Some aren't because they are sensitive, such as the creator of a flag
-- Some aren't because the number of associated items is too large
- The amount of times the same model can be included to prevent recursions
-- One exception is the root model may include the same model once
--- e.g. the user model can include the inviter which is also the user model
-- Another exception is if the include is a has_many association
--- e.g. artist urls can include the artist, and then artist urls again
Remove the list of most-used source domains from artist summaries. This
took up a lot of space and usually wasn't very useful. It was also slow.
We had to calculate this on every artist tag search so we could display
it in the Artist tab, even though usually the user didn't open the tab.
* Link other names to artist searches instead of to the new artist page.
* Remove the asterisk next to other names indicating the name isn't used
as the primary name of another artist. This is almost always the case.
- Added a changes column explicitly listing all of the changes
-- This makes it more in line with the other version views now
- Does a symmetric difference on the array fields to detect changes
- Changed to using the diff-body CSS class
-- Removed unnecessary elements from the CSS style file
- Does a symmetric difference on the array fields to detect differences
- Add more descriptors to the status/changes column
- Specifically add <br> to statuses to cause line breaks
- Changed to using the diff-body CSS class
-- Removed unneeded CSS style file
- Removed trailing whitespace after the >>> link
-- It was causing artifact line-throughs to appear after the link
- Changed the diff link to only render when a text field has changed
-- Because the post changes are already shown on the index view
- Specifically add <br> to statuses to cause line breaks
- All text fields are now shown in their non-rendered form
-- This allows changes to be highlighted with the diff builder
-- The different fields were labeled and separated for easier discernment
-- Fields are only shown if they have text in either the current or previous versions
- Various changes are also verbalized for easier discovery
- The date and the user columns were combined
-- This is more in line with other indexes, plus it saves on space
- The revert listing was changed to use a thumbnail instead of post ID links
-- This makes it more in line with the post versions index
- Body now uses the diff builder to highlight changes
-- A generalized diff-body class was added instead of something specific
- The status changes are now verbalized instead of being shown with styles
- The position and sizes are now split up
-- Changes directly reference the previous version
- The date and user columns were combined
-- This is more in line with other indexes, plus it saves space
Fix an invalid SQL exception that occurs when the paginator tries to
do a COUNT(*) to calculate the page count of a relation that already
includes a GROUP BY + COUNT(*) clause. We need to nest the whole query
inside a `SELECT COUNT(*) FROM (...)` subquery so the inner COUNT(*)
doesn't mess up the outer COUNT(*).
Fixes#4285.
Calling next_page here raises an exception when calculating the page
count because it can't handle SQL containing a GROUP BY clause. Swallow
the exception as a temp fix.
Fix a couple security issues related to dmail permalinks. Dmails have a
permalink that you can give to a Mod to let them read the dmail. This is
done with a key param that grants access when the dmail is opened by
another user. The key param had several problems:
* The key contained a full copy of the message's title and body encoded in
base64. This meant that anyone given a dmail permalink could read the
full dmail just by decoding the key in the link, without even having
to open the link.
* The key was derived from the dmail's title and body. If you knew or
could guess a dmail's title and body you could open the dmail. One
case when this was possible was when sending dmails. You could send
someone a dmail, take the permalink from your sent copy of the dmail,
then increment the dmail id to open the receiver's copy of the dmail.
Since the sent copy and the received copy both had the same title and
body, they both had the same dmail key. This let you check whether a
person had read your dmail, and what time they read it at.
* The key verification was done with an insecure string comparison
rather than a secure constant-time comparison. This was potentially
vulnerable to timing attacks.
* Opening a dmail belonging to another user would mark it as read for them.
The fix to all this is to use the dmail's id as the key instead of the
dmail's title and body. This means that old permalinks no longer work.
This is unavoidable given the issues above.
Other changes:
* The name of the 'Permalink' link is now 'Share'.
* Anyone with the 'Share' link can view the dmail, not just Mods.
* Add ability to mark dmails as unread.
* Fix users.unread_dmail_count to not count deleted dmails.
* Fix show action so that API calls don't mark dmails as read.
* Don't show the unread dmail notice on the /dmails page itself.
* Stop using users.has_mail flag.
* Add unread and deleted dmail folders.
* Remove dmail_folder cookie (wasn't used).
* Default to the received folder so that we don't show sent messages by default.
Turn deletions into soft deletions (set the is_deleted flag) instead of
hard deletions (remove from database). The is_deleted flag actually
already existed, but it was never used before.
Add <link rel="prev"> and <link rel="next"> elements to most pages with
pagination. This should work on all index pages, but it won't work for
things like pool or forum topic show pages.
Also remove the <link rel="top"> element (wasn't useful, was just a link
back to the root url).
Allow all users to view and edit artist entries and wiki pages belonging
to banned artists. There was little need to hide these pages from
Members, it was mainly to appease artists who didn't like us even
linking to their sites.
These restrictions also had multiple flaws:
* Banned artist information was still visible in the API.
* It was still possible to edit banned artists using the API.
* It was still possible for unprivileged users to revert banned
artist entries or wiki pages to previous versions.
* The restrictions were inconsistent: in various places they were
either Member-only, Gold-only, or Builder-only.
Also remove options to configure names of wiki notice pages. These names
generally don't need to be changed and we already hardcode links to wiki
pages in other places anyway.
* Add ability to report dmails.
* Enable reports for comments, forum posts, and dmails.
* Allow Members to send reports.
* Don't allow users to report the same thing twice.
